kubectl
kubectl is the command-line interface (CLI) of Kubernetes, being the essential management tool for Kubernetes users and administrators.
Instead of listing all of its subcommands, this article will show you how to use it effectively, navigate your way around and look up any assistance you might need.
kubectl -h
for listing subcommandskubectl options
for global optionskubectl <command> --help
for assistance with subcommandskubectl [command][PARAMS] -o=<format>
to set your output format, for example json, yaml, jsonpath etc.kubectl explain[RESOURCE]
to display a resource’s definition
Your first step
The first step in using kubectl is to set up your Kubernetes cluster and its authentication methods, this includes:
Information about the cluster: the Kubernetes server’s address
User information: user name, password or key
Context: a combination of cluster information, user information and namespace
Here’s an example:
Some common command patterns
Create:
kubectl run <name> --image=<image>
orkubectl create -f manifest.yaml
Check:
kubectl get <resource>
Update:
kubectl set
orkubectl patch
Delete:
kubectl delete <resource> <name>
orkubectl delete -f manifest.yaml
Check a Pod IP:
kubectl get pod <pod-name> -o jsonpath='{.status.podIP}'
Execute commands inside a container:
kubectl exec -ti <pod-name> sh
Check for a container's logs:
kubectl logs [-f] <pod-name>
Share a service:
kubectl expose deploy <name> --port=80
Decode from Base64:
Take note that kubectl run
only supports creating resources like Pod, Replication Controller, Deployment, Job and CronJob. Specifying which resources are created depends on which parameters you pass, by default, it's a Deployment:
Resource type | Parameter |
---|---|
Pod |
|
Replication Controller |
|
Deployment |
|
Job |
|
CronJob |
|
Command-line auto-completion
For Linux systems:
For MacOS:
Customized output columns
Say, you want to check requests or limits for resources for all Pods:
Checking Logs
kubectl logs
are for displaying content output from programs running inside a container. It’s similar to Docker's logs command.
Note: kubectl can only check logs for individual containers. If you want to check logs for multiple pods simultaneously, you can use stern. For example:
stern --all-namespaces -l run=nginx
.
Connect to a Running Container
kubectl attach
is used to connect to a running container. It's similar to Docker's attach command.
Execute Commands Inside a Container
kubectl exec
is used to execute commands inside a running container. It's similar to Docker's exec command.
Note: For multiple-container Pods, the default container for kubectl commands can be set by kubectl.kubernetes.io/default-container annotation
Port Forwarding
kubectl port-forward
is used to forward a local port to a specified Pod.
Also, local ports can be forwarded to services, replica sets or deployments.
API Server Proxy
The kubectl proxy
command creates an HTTP proxy to service Kubernetes APIs.
Direct access to the Kubernetes API through the proxy address http://localhost:8080/api/
can be achieved. A list of pods can be retrieved, for example:
If accessing port 8080 from a non-localhost address specified by --address
, an unauthorized error will be received. To rectify this (recommended for non-production environments) the setting --accept-hosts
can be adjusted:
Copying Files
kubectl cp
enables you to copy from a container or to copy files into a container.
Note that file copying depends on the tar command, so the tar command must be executable within the container.
Node Draining with kubectl Drain
Deletes pods on that NODE created by ReplicationController, ReplicaSet, DaemonSet, StatefulSet or Job
Doesn't delete mirror pods (since they can't be deleted through the API)
If there are other types of Pods (for e.g., directly created by kubectl create), if --force option isn't present, the command fails
If --force option is included in the command, it will delete Pods that were not created by ReplicationController, Job or DaemonSet
Sometimes radical solutions like evicting pods is unnecessary. If you just need to make the Node not callable, you can use the kubectl cordon
command.
To reset, just type kubectl uncordon NODE
to make the NODE schedulable again.
Permissions Check
The kubectl auth
provides two subcommands for checking a user's authorization status:
kubectl auth can-i
checks whether a user has permission to perform certain operations:
kubectl auth reconcile
automatically fixes problematic RBAC policies:
Simulating Other Users
kubectl supports you to simulate other users or groups for cluster management operations:
This is equivalent to adding following HTTP HEADER when requesting Kubernetes API:
Event Inspection
kubectl Plugins
The kubectl plugin provides a mechanism to extend kubectl, such as adding new subcommands. The plugin can be written in any language as long as it meets the following criteria:
The plugin resides in
~/.kube/plugins
or a directory specified by theKUBECTL_PLUGINS_PATH
environment variableThe format of the plugin is 'subdirectory / executable file or script' and the subdirectory must contain a
plugin.yaml
configuration file.
For example:
You can also use krew to manage your kubectl plugins.
Raw URIs
kubectl can also be used to directly access raw URIs. For example, you can access the Metrics API:
kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes
kubectl get --raw /apis/metrics.k8s.io/v1beta1/pods
kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes/<node-name>
kubectl get --raw /apis/metrics.k8s.io/v1beta1/namespaces/<namespace-name>/pods/<pod-name>
Appendix
The Kubectl Installation
最后更新于